What reaches the model
The masked prompt — supported sensitive values are replaced with placeholders before any outbound provider call.
Trust
Understand exactly how Privian handles prompts, credentials, providers, retention, and data flow.
Everything on this page is grounded in the current implementation. No invented certifications, no invented customers, no invented metrics.
Start here
The fastest path through a Privian review. Each card opens the source page.
The masked prompt — supported sensitive values are replaced with placeholders before any outbound provider call.
Detected entities, the per-request placeholder map, and your decrypted provider credential.
Account and billing data, AES-GCM-encrypted BYOK credentials, hashed API keys, usage rollups, sanitized events.
Raw prompt bodies, rehydrated response bodies, the per-request entity map, and decrypted provider keys.
Row-level scoped to your organization. Provider credentials are decrypted in-process per request and discarded.
Your provider credential authenticates the upstream call. Billing and provider-side terms apply to your account.
Security review essentials
Short, extractable answers. Use the Learn more link for the full implementation reference.
| Question | Short answer | Learn more |
|---|---|---|
| What reaches the model? | The masked prompt only. Supported entities are replaced with placeholders such as PERSON_1, EMAIL_1 before the outbound provider call. | Data path |
| Do you store prompts? | No. Raw prompt bodies and rehydrated response bodies are not persisted. Only sanitized events and aggregate usage are retained. | Data handling |
| Do you train models? | No. Privian does not train models on customer prompts or responses. Privian uses deterministic in-process detectors for masking. | Data handling |
| Who owns API keys? | You own your Privian gateway API keys (shown once at creation, stored as SHA-256 hash) and your BYOK provider credentials. | Credential handling |
| Can I use my own provider account? | Yes. BYOK is the default. Your credential authenticates the upstream provider call; provider-side billing and terms apply to your account. | BYOK |
| What is retained? | Account, billing and team metadata; encrypted BYOK credentials; hashed API keys; usage rollups; sanitized observability events. | Retention |
| Do you support self-hosting? | Not at this time. Privian is operated as a managed gateway. Self-hosted inference is out of scope today. | Security model |
| Do you support data residency? | Region selection is not a contracted feature today. Provider-side region behavior is governed by your relationship with the provider. | Subprocessors |
| What subprocessors are involved? | Hosting and managed database, a payments processor, a transactional email provider, and the model provider you select for BYOK. | Subprocessors |
Enterprise evaluation package
A concise document teams can share internally during security reviews.
Many teams need a concise document they can share internally during security reviews. Privian Blueprint is designed to answer the most common procurement and enterprise AI questions in a single document — data path, retention, credential handling, subprocessors, and the explicit scope of what Privian is and is not.
Core trust resources
The pages a procurement or security reviewer will want open in tabs.
What reaches the model, what stays, what is logged.
Privian's security model, retention and credential handling.
How the gateway is built end-to-end.
Operational providers and the BYOK boundary.
Reducing prompt-level exposure under GDPR.
Why prompt-level controls matter and what Privian does.
The category Privian sits in and its boundaries.
Surface-level overview of LLM security concerns.
Scope
A deliberate list of things Privian does not do, so you can scope evaluation correctly.
For an explicit list of what is in scope today, see /resources/security.
FAQ